January 13, 20251 yr Hello, I'm excited to try out the Tailscale container level compatibility in 7.0. I was doing some docker inspecting and reviewing the Uncast episode that demonstrated some of this. I was trying to replicate the implementation with my existing docker compose .yml files as this would allow me to continue to manage IaC without being locked in to the Unraid GUI. I've been facing some challenges however. One container failed to execute the entrypoint and stated it could not be found, perhaps due to a lack of a shell? (traefik/whoami) I did a more direct test with apprise-api side by side with the apprise plugin from the community store. It starts, installs Tailscale, I add the machine to the list of machines, but upon container restart it fails to move past that point and launch the actual application. 1) Is it expected I should be able to do this assuming the compose values are correct? I assume I'd have to hard code in things that are auto-populated in the dockerman version, such as the Tailscale webui values. 2) Assuming 1 is yes, can someone help me look at this? Here are some logs and compose info. For reference, I've tried both with and without my TZ/UID/PID environmental flags commented out. Thank you. 2025-01-13T21:42:28.658026353Z ======================= 2025-01-13T21:42:28.658045082Z 2025-01-13T21:42:28.658052166Z Executing Unraid Docker Hook for Tailscale 2025-01-13T21:42:28.658055752Z 2025-01-13T21:42:28.662799998Z Detecting Package Manager... 2025-01-13T21:42:28.663373501Z Detected Advanced Package Tool! 2025-01-13T21:42:28.663387540Z Installing packages... 2025-01-13T21:42:28.663392067Z Please wait... 2025-01-13T21:42:31.796819517Z Packages installed! 2025-01-13T21:42:31.796841812Z Tailscale not found, downloading... 2025-01-13T21:42:31.796844787Z Please wait... /tmp/tailscale/tail 100%[===================>] 28.57M 85.1MB/s in 0.3s 2025-01-13T21:42:33.024833968Z Download from Tailscale version 1.78.1 successful! 2025-01-13T21:42:33.481354719Z Installation Done! 2025-01-13T21:42:33.481378170Z Settings Tailscale state dir to: /.tailscale_state 2025-01-13T21:42:33.481398240Z Setting host name to "apprise" 2025-01-13T21:42:33.482520183Z Starting tailscaled with log file location: /var/log/tailscaled 2025-01-13T21:42:33.482581133Z Starting tailscale 2025-01-13T21:42:37.958552452Z Some peers are advertising routes but --accept-routes is false 2025-01-13T21:42:38.036568706Z WARNING: Tailscale Key will expire in 179 days. 2025-01-13T21:42:38.036591501Z Navigate to https://login.tailscale.com/admin/machines and 'Disable Key Expiry' for apprise 2025-01-13T21:42:38.036595714Z See: https://tailscale.com/kb/1028/key-expiry 2025-01-13T21:42:38.036600675Z Enabling Serve! See https://tailscale.com/kb/1312/serve 2025-01-13T21:42:38.041699865Z Available within your tailnet: 2025-01-13T21:42:38.041719067Z 2025-01-13T21:42:38.041722195Z https://apprise.mytailnethere.ts.net/ 2025-01-13T21:42:38.041724397Z |-- proxy http://localhost:8000 2025-01-13T21:42:38.041726813Z 2025-01-13T21:42:38.041729066Z Serve started and running in the background. 2025-01-13T21:42:38.060279684Z Starting container... 2025-01-13T21:42:38.060298082Z 2025-01-13T21:42:38.060301060Z ======================= 2025-01-13T21:42:38.060303343Z 2025-01-13T21:42:39.432244595Z ======================= 2025-01-13T21:42:39.432257776Z 2025-01-13T21:42:39.432260558Z Executing Unraid Docker Hook for Tailscale 2025-01-13T21:42:39.432262620Z 2025-01-13T21:42:39.433416112Z Tailscale found, continuing... 2025-01-13T21:42:39.433429799Z Settings Tailscale state dir to: /.tailscale_state 2025-01-13T21:42:39.433458431Z Setting host name to "apprise" 2025-01-13T21:42:39.434202121Z Starting tailscaled with log file location: /var/log/tailscaled 2025-01-13T21:42:39.434246604Z Starting tailscale 2025-01-13T21:42:41.870132753Z Some peers are advertising routes but --accept-routes is false 2025-01-13T21:42:41.960053499Z WARNING: Tailscale Key will expire in 179 days. 2025-01-13T21:42:41.960083986Z Navigate to https://login.tailscale.com/admin/machines and 'Disable Key Expiry' for apprise 2025-01-13T21:42:41.960088881Z See: https://tailscale.com/kb/1028/key-expiry 2025-01-13T21:42:41.960092263Z Enabling Serve! See https://tailscale.com/kb/1312/serve 2025-01-13T21:42:41.966385398Z Available within your tailnet: 2025-01-13T21:42:41.966416700Z 2025-01-13T21:42:41.966420417Z https://apprise.mytailnethere.ts.net/ 2025-01-13T21:42:41.966423352Z |-- proxy http://localhost:8000 2025-01-13T21:42:41.966426371Z 2025-01-13T21:42:41.966429264Z Serve started and running in the background. 2025-01-13T21:42:41.994140523Z Starting container... 2025-01-13T21:42:41.994168707Z 2025-01-13T21:42:41.994173447Z ======================= 2025-01-13T21:42:41.994177048Z services: apprise: image: caronc/apprise:latest container_name: apprise restart: unless-stopped profiles: ["all", "core", "notify"] networks: web-proxy: app-bridge: gluetun-bridge: ipv4_address: ${IPV4_ADDR_APPRISE} ports: - ${PORT_APPRISE:-8000}:8000 entrypoint: - /opt/unraid/tailscale cap_add: - NET_ADMIN devices: - /dev/net/tun volumes: - ${APPDATA_DIR}/apprise/config:/config - ${APPDATA_DIR}/apprise/plugin:/plugin - ${APPDATA_DIR}/apprise/attach:/attach - ${TAILSCALE_DIR}/apprise:/.tailscale_state - /usr/local/share/docker/tailscale_container_hook:/opt/unraid/tailscale environment: TZ: ${TZ} PUID: ${PUID} PGID: ${PGID} APPRISE_STATEFUL_MODE: simple APPRISE_WORKER_COUNT: 1 APPRISE_CONFIG_LOCK: no TAILSCALE_ALLOW_LAN_ACCESS: false TAILSCALE_USE_SSH: false TAILSCALE_USERSPACE_NETWORKING: false TAILSCALE_SERVE_PORT: 8000 TAILSCALE_HOSTNAME: apprise #TAILSCALE_FUNNEL: true # funnel mode TAILSCALE_STATE_DIR: /.tailscale_state labels: logging.promtail: true traefik.enable: true traefik.docker.network: ${PROXY_NETWORK} traefik.http.routers.apprise.entrypoints: https traefik.http.routers.apprise.rule: Host(`${SUBDOMAIN_APPRISE}.${DOMAINNAME}`) traefik.http.routers.apprise.middlewares: chain-private@file traefik.http.services.apprise.loadbalancer.server.port: 8000 net.unraid.docker.managed: composeman net.unraid.docker.webui: https://${SUBDOMAIN_APPRISE}.${DOMAINNAME} net.unraid.docker.icon: https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/apprise-api-logo.png net.unraid.docker.tailscale.webui: https://apprise.mytailnethere.ts.net net.unraid.docker.tailscale.hostname: apprise homepage.instance.adam.group: Notifications homepage.instance.adam.name: Apprise CLI homepage.instance.adam.icon: apprise.png homepage.instance.adam.href: https://${SUBDOMAIN_APPRISE}.${DOMAINNAME} homepage.instance.adam.description: Apprise managed configurations GUI Edited January 13, 20251 yr by adamfl Old diags attached - removed
January 14, 20251 yr Solution If you're already using Compose, I would recommend using either TDSProxy or Tailscale sidecar containers instead of trying to invoke the Tailscale injection provided by Unraid 7. Either of those tools are better/safer than trying to modify containers on the fly.
January 14, 20251 yr Author 3 hours ago, EDACerton said: If you're already using Compose, I would recommend using either TDSProxy or Tailscale sidecar containers instead of trying to invoke the Tailscale injection provided by Unraid 7. Either of those tools are better/safer than trying to modify containers on the fly. I will check out TSDProxy. What I didn't like about the sidecar Tailscale container approach (though quite easy it seems) is the 1:1 relationship of the containers. I also was looking at some reddit threads where people were doing a sidecar only for Traefik or Caddy and then trying to serve both ts.net and their FQDN URLs all from the proxy. If you have any tips, happy to learn more!
January 14, 20251 yr 5 hours ago, adamfl said: If you have any tips, happy to learn more! I would also recommend TDSProxy or even the Tailscale sidecar method if you are using compose.
January 15, 20251 yr Author I've got TSDProxy set up and that's playing nicely, but now I'm trying to get Traefik to play nice with Tailscale directly. I tried using Tailscale serve to redirect incoming traffic via Tailscale to a specific Traefik entrypoint so I wouldn't have to do like, portainer.mydomain.com:8443 instead of :443 to load the Tailscale route, but without Traefik in host mode it's just a PITA. I think I'll either land on just using the TDSProxy URLs in my homepage dashboard for non-shared apps and remove them from Traefik, or keep an ipAllowList and forwardAuth in front of their internet addressable URLs on my FQDN. I'm using NextDNS and split horizon DNS for publicly accessible apps currently, and only private DNS lookups for non-public apps.
June 23, 20251 yr I'll have a look at TSDProxy. The 1:1 link between the containers is what I disliked about the sidecar Tailscale container technique, despite the fact that it appears to be quite simple. Additionally, I was examining several Reddit posts where users were performing sidecars exclusively for Traefik. speed stars
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.